malwarewikiaorg-20200223-history
Stages
Stages also known as Scrapworm is the first email worm to use a false extension as a form of social engineering to fool users into thinking they were opening something other than a worm. It can spread through email and the IRC chat clients mIRC and Pirch. Behavior Stages may arrive as an email attachment. The "From:" line will be the actual address it was sent from. The subject line may be one of three possibilities: *Life Stages *Funny *Jokes The body of the message may be blank or contain the text "> The male and female stages of life." or "> The male and female stages of life. Bye.". When the worm is executed, it creates a text file in the temporary folder and opens it to display the following text: - The male stages of life: Age. Seduction lines. 17 My parents are away for the weekend. 25 My girlfriend is away for the weekend. 35 My fiancee is away for the weekend. 48 My wife is away for the weekend. 66 My second wife is dead. Age. Favorite sport. 17 Sex. 25 Sex. 35 Sex. 48 Sex. 66 Napping. Age. Definiton of a successful date. 17 Tongue. 25 Breakfast. 35 She didn't set back my therapy. 48 I didn't have to meet her kids. 66 Got home alive. - The female stages of life: Age. Favourite fantasy. 17 Tall, dark and hansome. 25 Tall, dark and hansome with money. 35 Tall, dark and hansome with money and a brain. 48 A man with hair. 66 A man. Age. Ideal date. 17 He offers to pay. 25 He pays. 35 He cooks breakfast next morning. 48 He cooks breakfast next morning for the kids. 66 He can chew his breakfast. Stages opens Outlook and takes 100 random addresses from each address list and sends a copy of itself to these addresses. It makes a copy of itself to the Windows directory with the name "LIFE_STAGES.TXT.SHS". It also adds the files MSINFO16.TLB, SCANREG.VBS and VBASET.OLB to the Windows directory. The worm also leaves four files in the Recycled directory, DBINDEX.VBS, MSRCYCLD.DAT, RCYCLDBN.DAT and RECYCLED.VXD. Stages also places randomly named files on the root directory on every mapped drive, "My Documents" and "Windows\Start Menu\Programs". The extension is always .TXT.SHS, but the name consists of one of five possibilities for the first part, a dash or underscore, then a random number between 0 and 99. The names it may choose for the first part are IMPORTANT, INFO, REPORT, SECRET and UNKNOWN. Therefore, a filename might look something like REPORT-666.TXT.SHS or SECRET_19.TXT.SHS. The worm adds SCANREG.VBS to the local machine registry key that causes this file to be run while the operating system loads before the user logs in. The worm scans for a file named MIRC.INI on all local drives. It places a file named SOUND32B.DLL in all directories. This file contains instructions to send the file LIFE_STAGES.TXT.SHS to all users on the same IRC channel as the infected system. It adds a reference to SOUND32B.DLL in the "rfiles" section of MIRC.INI. It adds the following values to several subkeys of a registry key specific to an ICQ client which cause the worm to reactivate when ICQ starts: *Enable = "Yes" *Parameters = "C:\RECYCLED\DBINDEX.VBS" *Path = "WSCRIPT.EXE" *Startup = "C:\WINDOWS" It moves REGEDIT.EXE to the recyle bin under the name RECYCLED.VXD. Effects Stages was most common in the US, but was also found in other parts of the world. It hit several US companies, causing the FBI to launch an investigation. Visa International and Microsoft shut down their email systems to deal with the infections. Internet analyst firm Zona research was hit with Stages, with at least two users opening the attachment. Trend Micro confirmed 430 infections with its "Virus Tracker". Email provider MailZone.net caught 5,400 copies of the worm. Symantec rated it as a "Category 4" threat, its second-highest rating. It also spread to India, Australia and the Phillipines. The worm was also prominent in Australia, where at least six companies and a university were infected with the worm. One law firm there reported several desktop machines infected, requiring a few hours of work to remove the worm from the mail system. Two unnamed Symantec customers and three Trend Micro customers reported the worm. 180 desktops at the University of Southern Queensland were infected with Stages. The University mail servers were shut down for 24 hours. Category:Worm Category:Multi-Vector Category:Multiple vector worm Category:Microsoft Windows Category:Email worm